Known Issues
The mystery of “Valid existing certificate” setting in ADCS certificate templates – demystified
This is a follow-up of “Certificate renewal request is placed in pending state when Valid Existing Certificate is selected in certificate template” blog post and final nail into the subject. Let’s re-iterate the problem. ADCS Certificate Templates provide configuration for issuance requirements, which allows you to forcibly put request in pending state (no automatic issuance)…
Read MoreCertificate renewal request is placed in pending state when Valid Existing Certificate is selected in certificate template
Hello S-1-1-0, here is a new blog post in a long time. Today I want to talk about the issue when “Valid existing certificate” does not bypass CA Manager approval and/or enrollment agent requirement during certificate renewal in Microsoft CA. In certificate template settings, Issuance Requirements we can configure additional requirements for enrollment and re-enrollment…
Read MoreMicrosoft Security Advisory for ADCS exploit – ADV210003
This morning we provided details to our existing support and co-management customers on a recent notice of vulnerability to certain Microsoft ADCS configurations. The exploit involves NTLM and leveraging some ADCS PKI components. Full details can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV210003. Summary In environments with NTLM authentication still enabled in Active Directory and when using ADCS…
Read MoreOCSP Magic Number
The magic number is a value that states when CRLs will be processed over OCSP, specifically it is when the total number of cached OCSP responses from a single OCSP responder URL on behalf of a single certificate authority will stop performing OCSP and start processing CRLs. This will occur if the number of cached…
Read MoreAnnouncing the Online PKI Assessmental Portal
I am extremely proud to announce that today we have launched our Online PKI Assessment Portal. This new service is the first of its kind to offer online, automated, self-paced review and assessments of Microsoft ADCS based PKIs. We have been performing onsite PKI Assessments for customers for years now. Typically focused on the design,…
Read More